home news blogs forums events research newsletter whitepapers careers


Network Computing Network Computing Powered by InformationWeek Business Technology Network
InformationWeek 500 Conference -- September 14-16, 2008 Registed Today!

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers





Demystifying Cisco Access Control Lists

Learn by Doing The following examples should provide you with the basics you need to set up your own access lists. If you follow the rules we outline, then you should be able to come up with filters that meet your requirements.

· Denying access to a host Our first example is a statement that denies access to a host with the IP address of 130.120.110.100. Make sure you are at the "enable" level and enter "config" mode (or config terminal), and enter the following:

access-list 101 deny ip 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0

The 255 mask on every octet of the source address signifies that the whole source address in the filter should be ignored. Technically, it doesn't matter what you use as the IP source address here , because it will be ignored. The all 0s mask on the destination address means that you want to apply the entire address. If you wanted to deny access to all addresses on the 130.120.110 network, you would use a mask of 0.0.0.255. The 255 in this case means ignore the last octet of the address when looking for a matching packet.

· Allowing access only to HTTP on a host Here, we permit access only to the HTTP port on the host and deny all other access to the host. This requires two lines:

access-list 101 permit tcp 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0 eq 80

access-list 101 deny ip 0.0.0.0 255.255.255.255 130.120.110.100 0.0.0.0

The first statement matches any packet with 130.120.110.100 as the destination IP address and with a TCP port equal to 80. The second rule applies a match to all IP packets with the destination address, thus denying access to all packets that are not permitted because of the previous rule.

Tying Up Loose Ends Although all unmatched packets are dr opped by default, it's still a good idea to end the list with a statement that denies everything. This helps you keep track of the end of the list:

access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Of course, if you want to begin your list by denying specific packets and you want to allow everything else, you would use the same statement with a permit instead of a deny. An easier way to state this is to use the following syntax:

access-list 101 deny ip any any

This statement functions exactly the same as the previous one, and later versions of the IOS will translate the longer version into this shorter version when you display it.

When you display the list, you may find that some of the TCP and UDP port numbers have been changed to a verbose description. We prefer to enter numbers because they are backward-compatible with previous IOS versions.

Turning It On Once you have your access list set up, you must apply it to the interface before it becomes effective. Ju st as you would for any change to an interface configuration, you will have to enter "config" mode and designate the interface where you want to apply the filter. At this point, the list of access list statements is referred to as a "group." The command to apply access list 101 to incoming packets on an interface is: ip access-group 101 in

As soon as you enter this command, the access list will immediately take effect. It's helpful to start a continuous ping in another window to a host on the other side of the interface that you're filtering to monitor its accessibility while applying the list. Save your changes with a "write memory" and a "write network" if you're backing your configurations up on a TFTP server.

You can use the "show config" command to see which access groups are associated with particular interfaces. This command also will list all of the access list statements at the end. An easier way to look at the access lists is the "show access list" command. If you use an access list number as an argument, you will only see that list. (Do this before choosing an access list number to make sure it is not already in use.) This command also will give you statistics on matches to every access list statement. To clear all the statistics, issue a "clear access-list counters," using the list number as an argument to designate a specific list.

As stated earlier, you cannot easily go back and insert a change into an access list because the statements are processed in the order that they are originally entered into the router. (With version 11.2, you can go back and selectively delete lines, but not insert any.) If you use TFTP to load new configurations into the router, you can edit the configuration file on your TFTP host, which will get loaded in with the changes. The disadvantage to this is that you will have to schedule it for a time when you can reboot the router.


Other Workshops
On the Heavenly Slopes With ISDN
By Mike Lee






Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo Jitter
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet Evolution
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space
App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights